On Fri, Aug 26, 2022 at 5:27 PM German Maglione <[email protected]> wrote: > > On Thu, Aug 18, 2022 at 1:16 AM Elaheh Dehghani <[email protected]> wrote: > > > > We are using an unprivileged user to run virtiofsd in its own user > > namespace. We have a guest VM running on top of QEMU with KVM. We are > > sharing files from the host to the guest and we need to make sure only > > certain users/groups in the guest can read/write those files. Currently > > there is only one uid/gid that’s mapped correctly (the virtiofsd user on > > the host is mapped to guest) and everything else is mapped to nobody. > > > > It seems the reason is that unprivileged virtiofsd only maps current > > uid/gid when it's running inside its own user namespace. > > > > Due to some resource limitations that we have in our system, we can't use a > > container-engine such as lxc-usernsexec to map a range of uids/gids. So, > > I'm trying to figure out if there is a way to patch the ‘setup_id_mappings’ > > in virtiofsd code to support our specific scenario. > > > > > > The additional mapping that we need is for uid/gid=1000. What I've done: > > > > - Defined 1000:100000:65536 in both /etc/subuid and /etc/subgid > > > > - Changed this line src/sandbox.rs · main · virtio-fs / virtiofsd · > > GitLab to something like: > > > > - let uid_mapping = format!("{} {} 1\n1000 1000 1\n", uid, uid); > > > > > > After running virtiofsd, I’m getting this error: > > > > Error entering sandbox: WriteUidMap(Os { code: 1, kind: PermissionDenied, > > message: “Operation not permitted” }) > > > > > > What am I missing here? > > As non-privilege user, you are only allowed to map the user UID -> > same NS-UID (as virtiofsd does) or user UID -> NS-UID 0, > by writing directly to '/proc/PID/{uid_map, gid_map}. > > Mapping a range of UIDS/GUIDS is a privileged operation, you need to > set the content of both '/etc/subuid' and '/etc/subgid ' > and run newuidmap/newgidmap. > > You could "manually" create the user namespace with "unshare -U", map > the uids/guid using newuidmap/newgidmap, and run virtiofsd > --sandbox=chroot > For instance (as user 1000): > > shell_0_$ unshare -U > shell_0_$ echo $$ > 1234 > > (in a different terminal) > shell_1_$ newuidmap 1234 0 100000 65536 > shell_1_$ newgidmap 1234 0 100000 65536 > > (now in the previous terminal) > shell_0_$ virtiofsd --sandbox=chroot ... > > Although lxc-usernsexec is a small tool that only creates user > namespaces and calls newuidmap/newgidmap to do the uid/gid mapping >
I forgot to mention, as an alternative you can patch the virtiofsd code removing the 'setup_id_mapping()' call. So you can run virtiofsd --sandbox=namesapce ... and then just call newuidmap/newgidmap with the virtiofsd PID Cheers, -- German _______________________________________________ Virtio-fs mailing list [email protected] https://listman.redhat.com/mailman/listinfo/virtio-fs
